This document describes some important prerequisites for integrating Syncro with Microsoft as a Cloud Solution Provider (CSP). (For instructions, see Integrate Microsoft.)

You can either integrate:

• Your Microsoft Tenants in bulk through your CSP Microsoft 365 Tenant credentials and Microsoft Partner Center GDAP relationships, or 
• Each Microsoft Tenant as a Single Tenant using a unique Global Administrator account for each individual Microsoft 365 Tenant. 

WARNING: Attempting to connect a CSP Microsoft 365 Tenant using the Single Tenant option will cause the integration to fail. If you have a CSP Microsoft 365 Tenant, we strongly recommend that you choose the Cloud Solution Provider option. Using both methods to connect Microsoft Tenants will generate connectivity errors.

Required Permissions

Connecting to Microsoft 365 Tenants through a CSP Microsoft 365 Tenant requires specific Microsoft Partner Center configurations and the authenticating user must meet certain requirements.

Tip: If you use Microsoft SSO to log into Syncro, be certain that your Syncro user login has all the required permissions for integration. The authenticating user must:

• Be a CSP Microsoft 365 Tenant Global Admin, 
• Have Admin Agent privileges,
• Be a member of the Security Group(s) associated with the appropriately privileged GDAP relationships with the Microsoft 365 Tenant (see below), and
• Be prompted by Entra ID MFA when authenticating. (Microsoft does not allow access to Microsoft 365 Tenants via GDAP using third-party MFA applications.) 

In Microsoft Partner Center, each Microsoft 365 Tenant must have:

• A GDAP relationship with either a Global Administrator privilege or ALL of the following specific privileges:
  • Application Administrator
  • Authentication Policy Administrator
  • Cloud App Security Administrator
  • Cloud Device Administrator
  • Exchange Administrator
  • Intune Administrator
  • Privileged Authentication Administrator
  • Privileged Role Administrator
  • Security Administrator
  • SharePoint Administrator
  • Teams Administrator
  • User Administrator
• The GDAP relationship assigned to a CSP Microsoft 365 Tenant Security Group and the appropriate roles selected (see list above).

For example, if your CSP account can access 100 Tenants and you want to only integrate with 75, you'll need to add these roles to the 75 GDAPs that represent your desired, 75 Tenants. You'll need to go into each Tenant GDAP individually. 

Tip: You only need to enable the above GDAP relationship for the Microsoft 365 Tenants you want to integrate. For example, if your CSP Microsoft 365 Tenant can access 100 Microsoft 365 Tenants and you only want to integrate 75, you'll need to create the GDAP relationship described above with the desired 75 Microsoft 365 Tenants in the Microsoft Partner Center.

Additional Resources

For more information about configuring GDAP relationships in Microsoft Partner Center, refer to the following Microsoft Learn articles:

• Obtain granular admin permissions to manage a customer's service
• Customer approval of partner GDAP request
• Grant granular permissions to security groups